4.3BSD-Reno/share/man/cat3/krb_mk_req.0
KERBEROS(3) 4.0 KERBEROS(3)
N�NA�AM�ME�E
krb_mk_req, krb_rd_req, krb_kntoln, krb_set_key,
krb_get_cred, krb_mk_priv, krb_rd_priv, krb_mk_safe,
krb_rd_safe, krb_mk_err, krb_rd_err, krb_ck_repl - Kerberos
authentication library
S�SY�YN�NO�OP�PS�SI�IS�S
#�#i�in�nc�cl�lu�ud�de�e <�<k�ke�er�rb�be�er�ro�os�sI�IV�V/�/d�de�es�s.�.h�h>�>
#�#i�in�nc�cl�lu�ud�de�e <�<k�ke�er�rb�be�er�ro�os�sI�IV�V/�/k�kr�rb�b.�.h�h>�>
e�ex�xt�te�er�rn�n c�ch�ha�ar�r *�*k�kr�rb�b_�_e�er�rr�r_�_t�tx�xt�t[�[]�];�;
i�in�nt�t k�kr�rb�b_�_m�mk�k_�_r�re�eq�q(�(a�au�ut�th�he�en�nt�t,�,s�se�er�rv�vi�ic�ce�e,�,i�in�ns�st�ta�an�nc�ce�e,�,r�re�ea�al�lm�m,�,c�ch�he�ec�ck�ks�su�um�m)�)
K�KT�TE�EX�XT�T a�au�ut�th�he�en�nt�t;�;
c�ch�ha�ar�r *�*s�se�er�rv�vi�ic�ce�e;�;
c�ch�ha�ar�r *�*i�in�ns�st�ta�an�nc�ce�e;�;
c�ch�ha�ar�r *�*r�re�ea�al�lm�m;�;
u�u_�_l�lo�on�ng�g c�ch�he�ec�ck�ks�su�um�m;�;
i�in�nt�t k�kr�rb�b_�_r�rd�d_�_r�re�eq�q(�(a�au�ut�th�he�en�nt�t,�,s�se�er�rv�vi�ic�ce�e,�,i�in�ns�st�ta�an�nc�ce�e,�,f�fr�ro�om�m_�_a�ad�dd�dr�r,�,a�ad�d,�,f�fn�n)�)
K�KT�TE�EX�XT�T a�au�ut�th�he�en�nt�t;�;
c�ch�ha�ar�r *�*s�se�er�rv�vi�ic�ce�e;�;
c�ch�ha�ar�r *�*i�in�ns�st�ta�an�nc�ce�e;�;
u�u_�_l�lo�on�ng�g f�fr�ro�om�m_�_a�ad�dd�dr�r;�;
A�AU�UT�TH�H_�_D�DA�AT�T *�*a�ad�d;�;
c�ch�ha�ar�r *�*f�fn�n;�;
i�in�nt�t k�kr�rb�b_�_k�kn�nt�to�ol�ln�n(�(a�ad�d,�,l�ln�na�am�me�e)�)
A�AU�UT�TH�H_�_D�DA�AT�T *�*a�ad�d;�;
c�ch�ha�ar�r *�*l�ln�na�am�me�e;�;
i�in�nt�t k�kr�rb�b_�_s�se�et�t_�_k�ke�ey�y(�(k�ke�ey�y,�,c�cv�vt�t)�)
c�ch�ha�ar�r *�*k�ke�ey�y;�;
i�in�nt�t c�cv�vt�t;�;
i�in�nt�t k�kr�rb�b_�_g�ge�et�t_�_c�cr�re�ed�d(�(s�se�er�rv�vi�ic�ce�e,�,i�in�ns�st�ta�an�nc�ce�e,�,r�re�ea�al�lm�m,�,c�c)�)
c�ch�ha�ar�r *�*s�se�er�rv�vi�ic�ce�e;�;
c�ch�ha�ar�r *�*i�in�ns�st�ta�an�nc�ce�e;�;
c�ch�ha�ar�r *�*r�re�ea�al�lm�m;�;
C�CR�RE�ED�DE�EN�NT�TI�IA�AL�LS�S *�*c�c;�;
l�lo�on�ng�g k�kr�rb�b_�_m�mk�k_�_p�pr�ri�iv�v(�(i�in�n,�,o�ou�ut�t,�,i�in�n_�_l�le�en�ng�gt�th�h,�,s�sc�ch�he�ed�du�ul�le�e,�,k�ke�ey�y,�,s�se�en�nd�de�er�r,�,r�re�ec�ce�ei�iv�ve�er�r)�)
u�u_�_c�ch�ha�ar�r *�*i�in�n;�;
u�u_�_c�ch�ha�ar�r *�*o�ou�ut�t;�;
u�u_�_l�lo�on�ng�g i�in�n_�_l�le�en�ng�gt�th�h;�;
d�de�es�s_�_c�cb�bl�lo�oc�ck�k k�ke�ey�y;�;
d�de�es�s_�_k�ke�ey�y_�_s�sc�ch�he�ed�du�ul�le�e s�sc�ch�he�ed�du�ul�le�e;�;
s�st�tr�ru�uc�ct�t s�so�oc�ck�ka�ad�dd�dr�r_�_i�in�n *�*s�se�en�nd�de�er�r;�;
s�st�tr�ru�uc�ct�t s�so�oc�ck�ka�ad�dd�dr�r_�_i�in�n *�*r�re�ec�ce�ei�iv�ve�er�r;�;
l�lo�on�ng�g k�kr�rb�b_�_r�rd�d_�_p�pr�ri�iv�v(�(i�in�n,�,i�in�n_�_l�le�en�ng�gt�th�h,�,s�sc�ch�he�ed�du�ul�le�e,�,k�ke�ey�y,�,s�se�en�nd�de�er�r,�,r�re�ec�ce�ei�iv�ve�er�r,�,m�ms�sg�g_�_d�da�at�ta�a)�)
u�u_�_c�ch�ha�ar�r *�*i�in�n;�;
Printed 7/27/90 Kerberos 1
KERBEROS(3) 4.0 KERBEROS(3)
u�u_�_l�lo�on�ng�g i�in�n_�_l�le�en�ng�gt�th�h;�;
K�Ke�ey�y_�_s�sc�ch�he�ed�du�ul�le�e s�sc�ch�he�ed�du�ul�le�e;�;
d�de�es�s_�_c�cb�bl�lo�oc�ck�k k�ke�ey�y;�;
s�st�tr�ru�uc�ct�t s�so�oc�ck�ka�ad�dd�dr�r_�_i�in�n *�*s�se�en�nd�de�er�r;�;
s�st�tr�ru�uc�ct�t s�so�oc�ck�ka�ad�dd�dr�r_�_i�in�n *�*r�re�ec�ce�ei�iv�ve�er�r;�;
M�MS�SG�G_�_D�DA�AT�T *�*m�ms�sg�g_�_d�da�at�ta�a;�;
l�lo�on�ng�g k�kr�rb�b_�_m�mk�k_�_s�sa�af�fe�e(�(i�in�n,�,o�ou�ut�t,�,i�in�n_�_l�le�en�ng�gt�th�h,�,k�ke�ey�y,�,s�se�en�nd�de�er�r,�,r�re�ec�ce�ei�iv�ve�er�r)�)
u�u_�_c�ch�ha�ar�r *�*i�in�n;�;
u�u_�_c�ch�ha�ar�r *�*o�ou�ut�t;�;
u�u_�_l�lo�on�ng�g i�in�n_�_l�le�en�ng�gt�th�h;�;
d�de�es�s_�_c�cb�bl�lo�oc�ck�k k�ke�ey�y;�;
s�st�tr�ru�uc�ct�t s�so�oc�ck�ka�ad�dd�dr�r_�_i�in�n *�*s�se�en�nd�de�er�r;�;
s�st�tr�ru�uc�ct�t s�so�oc�ck�ka�ad�dd�dr�r_�_i�in�n *�*r�re�ec�ce�ei�iv�ve�er�r;�;
l�lo�on�ng�g k�kr�rb�b_�_r�rd�d_�_s�sa�af�fe�e(�(i�in�n,�,l�le�en�ng�gt�th�h,�,k�ke�ey�y,�,s�se�en�nd�de�er�r,�,r�re�ec�ce�ei�iv�ve�er�r,�,m�ms�sg�g_�_d�da�at�ta�a)�)
u�u_�_c�ch�ha�ar�r *�*i�in�n;�;
u�u_�_l�lo�on�ng�g l�le�en�ng�gt�th�h;�;
d�de�es�s_�_c�cb�bl�lo�oc�ck�k k�ke�ey�y;�;
s�st�tr�ru�uc�ct�t s�so�oc�ck�ka�ad�dd�dr�r_�_i�in�n *�*s�se�en�nd�de�er�r;�;
s�st�tr�ru�uc�ct�t s�so�oc�ck�ka�ad�dd�dr�r_�_i�in�n *�*r�re�ec�ce�ei�iv�ve�er�r;�;
M�MS�SG�G_�_D�DA�AT�T *�*m�ms�sg�g_�_d�da�at�ta�a;�;
l�lo�on�ng�g k�kr�rb�b_�_m�mk�k_�_e�er�rr�r(�(o�ou�ut�t,�,c�co�od�de�e,�,s�st�tr�ri�in�ng�g)�)
u�u_�_c�ch�ha�ar�r *�*o�ou�ut�t;�;
l�lo�on�ng�g c�co�od�de�e;�;
c�ch�ha�ar�r *�*s�st�tr�ri�in�ng�g;�;
l�lo�on�ng�g k�kr�rb�b_�_r�rd�d_�_e�er�rr�r(�(i�in�n,�,l�le�en�ng�gt�th�h,�,c�co�od�de�e,�,m�ms�sg�g_�_d�da�at�ta�a)�)
u�u_�_c�ch�ha�ar�r *�*i�in�n;�;
u�u_�_l�lo�on�ng�g l�le�en�ng�gt�th�h;�;
l�lo�on�ng�g c�co�od�de�e;�;
M�MS�SG�G_�_D�DA�AT�T *�*m�ms�sg�g_�_d�da�at�ta�a;�;
D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
This library supports network authentication and various
related operations. The library contains many routines
beyond those described in this man page, but they are not
intended to be used directly. Instead, they are called by
the routines that are described, the authentication server
and the login program.
_�k_�r_�b__�e_�r_�r__�t_�x_�t[] contains text string descriptions of various
Kerberos error codes returned by some of the routines below.
_�k_�r_�b__�m_�k__�r_�e_�q takes a pointer to a text structure in which an
authenticator is to be built. It also takes the name,
instance, and realm of the service to be used and an
optional checksum. It is up to the application to decide
how to generate the checksum. _�k_�r_�b__�m_�k__�r_�e_�q then retrieves a
ticket for the desired service and creates an authenticator.
The authenticator is built in _�a_�u_�t_�h_�e_�n_�t and is accessible to
Printed 7/27/90 Kerberos 2
KERBEROS(3) 4.0 KERBEROS(3)
the calling procedure.
It is up to the application to get the authenticator to the
service where it will be read by _�k_�r_�b__�r_�d__�r_�e_�q. Unless an
attacker posesses the session key contained in the ticket,
it will be unable to modify the authenticator. Thus, the
checksum can be used to verify the authenticity of the other
data that will pass through a connection.
_�k_�r_�b__�r_�d__�r_�e_�q takes an authenticator of type K�KT�TE�EX�XT�T,�, a service
name, an instance, the address of the host originating the
request, and a pointer to a structure of type A�AU�UT�TH�H_�_D�DA�AT�T which
is filled in with information obtained from the authentica-
tor. It also optionally takes the name of the file in which
it will find the secret key(s) for the service. If the sup-
plied _�i_�n_�s_�t_�a_�n_�c_�e contains "*", then the first service key with
the same service name found in the service key file will be
used, and the _�i_�n_�s_�t_�a_�n_�c_�e argument will be filled in with the
chosen instance. This means that the caller must provide
space for such an instance name.
It is used to find out information about the principal when
a request has been made to a service. It is up to the
application protocol to get the authenticator from the
client to the service. The authenticator is then passed to
_�k_�r_�b__�r_�d__�r_�e_�q to extract the desired information.
_�k_�r_�b__�r_�d__�r_�e_�q returns zero (RD_AP_OK) upon successful authenti-
cation. If a packet was forged, modified, or replayed,
authentication will fail. If the authentication fails, a
non-zero value is returned indicating the particular problem
encountered. See _�k_�r_�b._�h for the list of error codes.
If the last argument is the null string (""), krb_rd_req
will use the file /etc/srvtab to find its keys. If the last
argument is NULL, it will assume that the key has been set
by _�k_�r_�b__�s_�e_�t__�k_�e_�y and will not bother looking further.
_�k_�r_�b__�k_�n_�t_�o_�l_�n converts a Kerberos name to a local name. It
takes a structure of type AUTH_DAT and uses the name and
instance to look in the database /etc/aname to find the
corresponding local name. The local name is returned and
can be used by an application to change uids, directories,
or other parameters. It is not an integral part of Ker-
beros, but is instead provided to support the use of Ker-
beros in existing utilities.
_�k_�r_�b__�s_�e_�t__�k_�e_�y takes as an argument a des key. It then creates
a key schedule from it and saves the original key to be used
as an initialization vector. It is used to set the server's
key which must be used to decrypt tickets.
Printed 7/27/90 Kerberos 3
KERBEROS(3) 4.0 KERBEROS(3)
If called with a non-zero second argument, _�k_�r_�b__�s_�e_�t__�k_�e_�y will
first convert the input from a string of arbitrary length to
a DES key by encrypting it with a one-way function.
In most cases it should not be necessary to call
_�k_�r_�b__�s_�e_�t__�k_�e_�y. The necessary keys will usually be obtained and
set inside _�k_�r_�b__�r_�d__�r_�e_�q. _�k_�r_�b__�s_�e_�t__�k_�e_�y is provided for those
applications that do not wish to place the application keys
on disk.
_�k_�r_�b__�g_�e_�t__�c_�r_�e_�d searches the caller's ticket file for a ticket
for the given service, instance, and realm; and, if a ticket
is found, fills in the given CREDENTIALS structure with the
ticket information.
If the ticket was found, _�k_�r_�b__�g_�e_�t__�c_�r_�e_�d returns GC_OK. If the
ticket file can't be found, can't be read, doesn't belong to
the user (other than root), isn't a regular file, or is in
the wrong mode, the error GC_TKFIL is returned.
_�k_�r_�b__�m_�k__�p_�r_�i_�v creates an encrypted, authenticated message from
any arbitrary application data, pointed to by _�i_�n and
_�i_�n__�l_�e_�n_�g_�t_�h bytes long. The private session key, pointed to
by _�k_�e_�y and the key schedule, _�s_�c_�h_�e_�d_�u_�l_�e, are used to encrypt
the data and some header information using _�p_�c_�b_�c__�e_�n_�c_�r_�y_�p_�t.
_�s_�e_�n_�d_�e_�r and _�r_�e_�c_�e_�i_�v_�e_�r point to the Internet address of the two
parties. In addition to providing privacy, this protocol
message protects against modifications, insertions or
replays. The encapsulated message and header are placed in
the area pointed to by _�o_�u_�t and the routine returns the
length of the output, or -1 indicating an error.
_�k_�r_�b__�r_�d__�p_�r_�i_�v decrypts and authenticates a received
_�k_�r_�b__�m_�k__�p_�r_�i_�v message. _�i_�n points to the beginning of the
received message, whose length is specified in _�i_�n__�l_�e_�n_�g_�t_�h.
The private session key, pointed to by _�k_�e_�y, and the key
schedule, _�s_�c_�h_�e_�d_�u_�l_�e, are used to decrypt and verify the
received message. _�m_�s_�g__�d_�a_�t_�a is a pointer to a _�M_�S_�G__�D_�A_�T
struct, defined in _�k_�r_�b._�h. The routine fills in the _�a_�p_�p__�d_�a_�t_�a
field with a pointer to the decrypted application data,
_�a_�p_�p__�l_�e_�n_�g_�t_�h with the length of the _�a_�p_�p__�d_�a_�t_�a field, _�t_�i_�m_�e__�s_�e_�c
and _�t_�i_�m_�e__�5_�m_�s with the timestamps in the message, and _�s_�w_�a_�p
with a 1 if the byte order of the receiver is different than
that of the sender. (The application must still determine
if it is appropriate to byte-swap application data; the Ker-
beros protocol fields are already taken care of). The _�h_�a_�s_�h
field returns a value useful as input to the _�k_�r_�b__�c_�k__�r_�e_�p_�l
routine.
The routine returns zero if ok, or a Kerberos error code.
Modified messages and old messages cause errors, but it is
up to the caller to check the time sequence of messages, and
Printed 7/27/90 Kerberos 4
KERBEROS(3) 4.0 KERBEROS(3)
to check against recently replayed messages using
_�k_�r_�b__�c_�k__�r_�e_�p_�l if so desired.
_�k_�r_�b__�m_�k__�s_�a_�f_�e creates an authenticated, but unencrypted mes-
sage from any arbitrary application data, pointed to by _�i_�n
and _�i_�n__�l_�e_�n_�g_�t_�h bytes long. The private session key, pointed
to by _�k_�e_�y, is used to seed the _�q_�u_�a_�d__�c_�k_�s_�u_�m() checksum algo-
rithm used as part of the authentication. _�s_�e_�n_�d_�e_�r and
_�r_�e_�c_�e_�i_�v_�e_�r point to the Internet address of the two parties.
This message does not provide privacy, but does protect (via
detection) against modifications, insertions or replays.
The encapsulated message and header are placed in the area
pointed to by _�o_�u_�t and the routine returns the length of the
output, or -1 indicating an error. The authentication pro-
vided by this routine is not as strong as that provided by
_�k_�r_�b__�m_�k__�p_�r_�i_�v or by computing the checksum using _�c_�b_�c__�c_�k_�s_�u_�m
instead, both of which authenticate via DES.
_�k_�r_�b__�r_�d__�s_�a_�f_�e authenticates a received _�k_�r_�b__�m_�k__�s_�a_�f_�e message.
_�i_�n points to the beginning of the received message, whose
length is specified in _�i_�n__�l_�e_�n_�g_�t_�h. The private session key,
pointed to by _�k_�e_�y, is used to seed the quad_cksum() routine
as part of the authentication. _�m_�s_�g__�d_�a_�t_�a is a pointer to a
_�M_�S_�G__�D_�A_�T struct, defined in _�k_�r_�b._�h . The routine fills in
these _�M_�S_�G__�D_�A_�T fields: the _�a_�p_�p__�d_�a_�t_�a field with a pointer to
the application data, _�a_�p_�p__�l_�e_�n_�g_�t_�h with the length of the
_�a_�p_�p__�d_�a_�t_�a field, _�t_�i_�m_�e__�s_�e_�c and _�t_�i_�m_�e__�5_�m_�s with the timestamps in
the message, and _�s_�w_�a_�p with a 1 if the byte order of the
receiver is different than that of the sender. (The appli-
cation must still determine if it is appropriate to byte-
swap application data; the Kerberos protocol fields are
already taken care of). The _�h_�a_�s_�h field returns a value use-
ful as input to the _�k_�r_�b__�c_�k__�r_�e_�p_�l routine.
The routine returns zero if ok, or a Kerberos error code.
Modified messages and old messages cause errors, but it is
up to the caller to check the time sequence of messages, and
to check against recently replayed messages using
_�k_�r_�b__�c_�k__�r_�e_�p_�l if so desired.
_�k_�r_�b__�m_�k__�e_�r_�r constructs an application level error message
that may be used along with _�k_�r_�b__�m_�k__�p_�r_�i_�v or _�k_�r_�b__�m_�k__�s_�a_�f_�e. _�o_�u_�t
is a pointer to the output buffer, _�c_�o_�d_�e is an application
specific error code, and _�s_�t_�r_�i_�n_�g is an application specific
error string.
_�k_�r_�b__�r_�d__�e_�r_�r unpacks a received _�k_�r_�b__�m_�k__�e_�r_�r message. _�i_�n points
to the beginning of the received message, whose length is
specified in _�i_�n__�l_�e_�n_�g_�t_�h. _�c_�o_�d_�e is a pointer to a value to be
filled in with the error value provided by the application.
_�m_�s_�g__�d_�a_�t_�a is a pointer to a _�M_�S_�G__�D_�A_�T struct, defined in _�k_�r_�b._�h
Printed 7/27/90 Kerberos 5
KERBEROS(3) 4.0 KERBEROS(3)
. The routine fills in these _�M_�S_�G__�D_�A_�T fields: the _�a_�p_�p__�d_�a_�t_�a
field with a pointer to the application error text,
_�a_�p_�p__�l_�e_�n_�g_�t_�h with the length of the _�a_�p_�p__�d_�a_�t_�a field, and _�s_�w_�a_�p
with a 1 if the byte order of the receiver is different than
that of the sender. (The application must still determine
if it is appropriate to byte-swap application data; the Ker-
beros protocol fields are already taken care of).
The routine returns zero if the error message has been suc-
cessfully received, or a Kerberos error code.
The _�K_�T_�E_�X_�T structure is used to pass around text of varying
lengths. It consists of a buffer for the data, and a
length. krb_rd_req takes an argument of this type contain-
ing the authenticator, and krb_mk_req returns the authenti-
cator in a structure of this type. KTEXT itself is really a
pointer to the structure. The actual structure is of type
KTEXT_ST.
The _�A_�U_�T_�H__�D_�A_�T structure is filled in by krb_rd_req. It must
be allocated before calling krb_rd_req, and a pointer to it
is passed. The structure is filled in with data obtained
from Kerberos. _�M_�S_�G__�D_�A_�T structure is filled in by either
krb_rd_priv, krb_rd_safe, or krb_rd_err. It must be allo-
cated before the call and a pointer to it is passed. The
structure is filled in with data obtained from Kerberos.
F�FI�IL�LE�ES�S
/usr/include/kerberosIV/krb.h
/usr/lib/libkrb.a
/usr/include/kerberosIV/des.h
/usr/lib/libdes.a
/etc/kerberosIV/aname
/etc/kerberosIV/srvtab
/tmp/tkt[uid]
S�SE�EE�E A�AL�LS�SO�O
kerberos(1), des_crypt(3)
D�DI�IA�AG�GN�NO�OS�ST�TI�IC�CS�S
B�BU�UG�GS�S
The caller of _�k_�r_�b__�r_�d__�r_�e_�q, _�k_�r_�b__�r_�d__�p_�r_�i_�v, _�a_�n_�d _�k_�r_�b__�r_�d__�s_�a_�f_�e must
check time order and for replay attempts. _�k_�r_�b__�c_�k__�r_�e_�p_�l is
not implemented yet.
A�AU�UT�TH�HO�OR�RS�S
Clifford Neuman, MIT Project Athena
Steve Miller, MIT Project Athena/Digital Equipment Corpora-
tion
R�RE�ES�ST�TR�RI�IC�CT�TI�IO�ON�NS�S
COPYRIGHT 1985,1986,1989 Massachusetts Institute of
Printed 7/27/90 Kerberos 6
KERBEROS(3) 4.0 KERBEROS(3)
Technology
Printed 7/27/90 Kerberos 7